CVE-2000-1190

Vulnerability

The imwheel-solo utility in the imwheel package follows symbolic links when processing the user's ~/.imwheelrc configuration file. This allows a local attacker to create a symlink from ~/.imwheelrc to any file on the system, causing imwheel-solo to write to that file with the privileges of the setuid process. The vulnerability affects all versions of imwheel prior to a fix, as noted in the Bugtraq discussion [2].

Exploitation

An attacker with local shell access can create a symbolic link from ~/.imwheelrc to a target file (e.g., /etc/shadow). Upon executing imwheel-solo, the program will follow the symlink and write to the target file, effectively allowing arbitrary file modification. No authentication beyond local user access is required [2].

Impact

Successful exploitation enables an attacker to overwrite arbitrary files on the system, including sensitive files such as /etc/shadow or /etc/passwd. This can lead to privilege escalation, denial of service, or complete compromise of the system's integrity and confidentiality.

Mitigation

No official patch is explicitly mentioned in the provided references. However, users should remove the setuid bit from imwheel-solo or restrict its execution to trusted users. Upgrading to a patched version of the imwheel package (if available from the distribution vendor) is recommended. The vulnerability is old and likely addressed in later releases.